GlobalProtect Product Presentation Agenda Overview of GlobalProtect Technical Details Use Cases Overview Challenge: Quality of Security Tied to Location malware exploits botnets Airport Headquarters Home Office Branch Offices Enterprise-secured with full protection 4 | ©2012, Palo Alto Networks. Confidential and Proprietary. Hotel Exposed to threats, risky apps, and data leakage Existing Approaches Fall Short exploits malware botnets Corp Resources Traditional VPN Indeterminate security 5 | ©2012, Palo Alto Networks. Confidential and Proprietary. Corp Resources Always-on VPN Inconsistent security Web NonWeb Mix of Proxies + VPN Both indeterminate and inconsistent security GlobalProtect: Consistent Security Everywhere exploits malware botnets •Headquarters • • • •Branch Office VPN connection to a purpose built firewall that is performing the security work Automatic protected connectivity for users both inside and outside Unified policy control, visibility, compliance & reporting 6 | ©2012, Palo Alto Networks. Confidential and Proprietary. How GlobalProtect Works What GlobalProtect replaces Existing Point Products Next-Generation Firewall Components VPN/Remote Access External Gateways Network Access Control Internet Proxy 8 | ©2012, Palo Alto Networks. Confidential and Proprietary. Host Information Profile + Internal Gateways at Layer 3 Threat Prevention + URL Filtering GlobalProtect Licensing Licensing based on Portals and Gateways (firewall), not users Portal License Gateway Subscription Single Gateway Multiple Gateway Internal Gateway HIP check ● ● ● Mobile App 9 | ©2012, Palo Alto Networks. Confidential and Proprietary. Portal – one-time perpetual license Required on the device that would run Portal Required for multi-gateway deployments Required for internal gateways Gateway – annual subscription ● ● Required on the devices that would check host profile Required on the devices that would connect iOS and Android app Provides ongoing content updates to check the host profile GlobalProtect Technical Details GlobalProtect Components GlobalProtect Portal Portal and Gateway Gateway GlobalProtect Gateway Central authority for GlobalProtect Provides list of known gateways Provides certificates to validate gateways Hosts GlobalProtect agent for initial download May be installed on same device as a GlobalProtect Gateway Provides tunnel termination points Enforces security policy for connected users GlobalProtect Agent Software that runs on endpoint Supported on Windows 8, Windows 7, Windows Vista 32/64bit Mac OS X 10.6/10.7/10.8 ( PAN OS 4.1) iOS 5.1+ Android 4.0.3+ Endpoint with GlobalProtect Agent iOS 5.1+ Third Party IPSec Client Support iOS 4.3+ Android 4.0.3+ Linux vpnc Android 4.0.3+ Gateway Technical Details Technical Details External User Sequence - Step 1 LDAP Radius Kerberos Gateway Portal and Gateway Gateway User authenticates to portal Site to Site IPSec tunnel Portal pushes • Certificates • List of Gateways • Agent software updates • Host internal/external detection parameters • Host check requirements External User Sequence - Step 2 LDAP Radius Kerberos Gateway Portal and Gateway Gateway Agent determines if it is inside or outside the corporate network Site to Site IPSec tunnel External User Sequence - Step 3 LDAP Radius Kerberos Gateway Portal and Gateway Gateway Agent checks available GWs SSL/IPsec VPN tunnel Site to Site IPSec tunnel Automatically connects to the best gateway External User Sequence - Step 4 User moves to new location Automatically connects to the new best gateway LDAP Radius Kerberos Gateway Portal and Gateway Gateway SSL/IPsec VPN tunnel Site to Site IPSec tunnel Internal User Sequence - Step 1 Data Center Firewall Data Center User authenticates to portal Portal and Gateway LAN Portal pushes • Certificates • List of Gateways • Agent software updates • Host internal/external detection parameters • Host check requirements Internal User Sequence - Step 1 Data Center Firewall Data Center Agent determines if it is inside or outside the corporate network Portal and Gateway LAN Internal User Sequence - Step 3 The tunnel for internal users is optional Data Center Firewall Agent sends user and HIP information to gateway for policy enforcement Data Center Portal and Gateway LAN Architecture Example deployment scenario Site to Site IPSec tunnel Static NAT on router 22.214.171.124 – 192.168.1.2 Gateway 126.96.36.199 Portal / Gateway 188.8.131.52 .1 Data Center .2 192.168.1.0/30 10.1.1.1 Remote Users Function IP address Portal 184.108.40.206 External Gateway 220.127.116.11 External Gateway 18.104.22.168 Internal Gateway 10.1.1.1 LAN Portal Failure Scenario Single Portal Failure Scenario Portal Portal with High Availability Portal Portal HA Link Gateway Gateway Portal is not available Existing GlobalProtect users connect to gateway using cache configuration Portal in an HA Pair provides redundancy Same Gateway for External / Internal External Gateway Ethernet 2 External Users Internal Gateway Ethernet 1 Internal Users Ethernet 3 DMZ Data Center Gateway Failure Scenario Single Gateway Failure Scenario Portal Gateway High Availability Portal Gateway New York Gateway Toronto When gateway is unavailable, agent can automatically make connection to next best gateway Gateway New York HA Link Gateway Toronto Additional Use Cases Consistent Enforcement of Application Policies Challenge in Education o School boards concerned about inappropriate teacher/student activity on social media o Children’s Internet Protection Act requires school to block adult content o Students using web proxies to circumvent URL filters o Popular high-bandwidth applications such as bittorrent reduce available resources Solution o Use next-generation firewall for protection o Enforce policy consistently with GlobalProtect •Page 26 | © 2013 Palo Alto Networks. Proprietary and Confidential. Consistent Enforcement of Application Policies Policy for Teachers Teacher and Students using laptop at home Always-On GlobalProtect Teachers and Students using laptops at school Personal Devices Facebook Read/Post Allow Facebook Chat Block Facebook Short URLs Scan for threats Policy for Students Captive Portal •Page 27 | © 2013 Palo Alto Networks. Proprietary and Confidential. URL Category Adult Block Peer-to-Peer & Proxy Block Streaming Video QoS Untrusted Local Network Don’t assume everyone should have local network access Moving away from “give access to everyone” on LAN to “don’t trust anyone” Just like the external scenario, don’t trust anyone internally Solution o Use next-generation firewall for protection o Enforce policy consistently with GlobalProtect •Page 28 | © 2013 Palo Alto Networks. Proprietary and Confidential. Secure Local Network Internet LAN GlobalProtect Portal and Gateway Internet access with safe enablement WAP w/WPA2 LAN access through GlobalProtect GlobalProtect only permits authorized users with access to LAN resources Contractors / Guests Employees •Page 29 | © 2013 Palo Alto Networks. Proprietary and Confidential. Tunnel provides privacy for LAN traffic Data Center: Enforcing Policy with Host Information Profile Challenge Data center has applications with sensitive data, like customer info Concern about access from non-compliant endpoints, such as laptops that do not have hard disk encryption Solution All users must have a compliant endpoint to access customer information Users with non-compliant devices use virtual desktop •Page 30 | © 2013 Palo Alto Networks. Proprietary and Confidential. Enforcing Policy with Host Information Profile Application policy enforcement Devices with GlobalProtect Employees on IT managed devices Trusted user with compliant host information profile Corporate Laptop GlobalProtect Devices without GlobalProtect Personal Laptop Contractors on Guest WiFi Captive Portal •Page 31 | © 2013 Palo Alto Networks. Proprietary and Confidential. Permit app access Trusted user, with neither GlobalProtect nor HIP Permit Citrix Only Data Center Features User Authentication Authentication Methods Supported: • Local Database • LDAP • RADIUS • Kerberos Authentication Factors Supports Single Sign-On from Windows authentication Username/Password X.509 Certificate Smartcard + X.509 Certificate RSA SecureID Host Checks Host checks can be used with security policy to restrict access to resources Supported on both Windows and Mac Portal Can be used to set policy for what attributes are evaluated Gateway Examines the HIP report Controls access to applications based on matches Host Check Custom Host Checks GlobalProtect for User-ID GlobalProtect agent can identify users for User-Id purposes Works with and without a tunnel User identification must be enabled on the zone where the gateway interface is located IP to user mapping happens once the user successfully connects to the gateway. GlobalProtect for iOS and Android Available on App Store / Google Play Supports Always-on Connection Supports Automatic / Manual Gateway Selection iOS IPsec Client Support Compatibility with iOS - Compatible with iOS 4.3 and later - Uses the IPSec VPN Client on the IOS device - Support for group secret and device certificates. - Remote access VPN can be configured on the iPhone/iPad through iOS Configuration Utility (send profile via email or web) using MDM from technology partners Android IPsec Client Support Compatibility with Android - Compatible with Android 4.0.3+ - Uses the IPSec VPN Client - Support for group secret and device certificates. Demo Demonstration of the User Experience Demonstration of the Admin Experience New Features for GlobalProtect in PAN-OS 5.0 Overview Manual gateway selection Machine authentication 3rd Party Clients: vpnc IPsec client support Localization Manual Gateway Selection Allows users to manually select specific gateways Any rediscovery event will revert to Auto Discovery mode User may also manually revert to Auto Discovery mode Manual Gateway Selection (On-Demand Mode) User enables GlobalProtect in Windows Agent contacts Portal Agent downloads configuration Did user select a gateway? Yes Agent contacts selected gateway Agent closes previously connected tunnel (if necessary) GlobalProtect tunnel established No Agent discovers gateways using standard methods Manual Gateway Selection Persistence Some actions taken by a user will switch GlobalProtect agent back to default mode: • Rediscovery • Logoff, then login • Restart computer • Switch to another user, then switch back • User selects Auto discovery from the Connect to... Menu • Tunnel is terminated due to the user closing his laptop (sleep/standby/hibernate) Machine Authentication Pre-logon connection GlobalProtect can be configured to establish a connection using a already deployed machine certificate. VPN connection will be established before the user logs onto the machine. All AD policies and changes, software distribution and system management can be applied even to remote users if tunnel is established. © 2010 Palo Alto Networks. Proprietary and Confidential. Machine Authentication Username not known at the time the connection is established, generic “prelogon user” is reported to User-ID instead. Can be used in policy to restrict access to authentication resources (see sample). Username is reported to gateway once the user logs in. © 2010 Palo Alto Networks. Proprietary and Confidential. Machine Authentication Connection and authentication flow Certificates need to be pre-deployed Customers requiring this feature have PKIs deployed already Agent uses machine certificates matching the accepted CAs of the gateway Pre-logon username is updated as soon as user logs in and GlobalProtect Agent starts. © 2010 Palo Alto Networks. Proprietary and Confidential. 3rd Party Client Support New: Now supports vpnc Common VPN client used on Unix systems with Cisco Concentrators Tested on Ubuntu Linux and CentOS Supports pre-shared key for IKE © 2010 Palo Alto Networks. Proprietary and Confidential. Localization Localized GlobalProtect Agent UI Japanese Chinese (simplified) French Spanish German (GlobalProtect only) © 2010 Palo Alto Networks. Proprietary and Confidential.